Can We Save Privacy by Treating Info Like Private Property?

Treating all personal information as private property is far from a clear and simple solution.

May 25, 2018

Amitai Etzioni

Can We Save Privacy by Treating Info Like Private Property?

Treating personal information like private property is a popular solution to the threats to privacy in the cyber age. It has only one problem; it is unworkable, at least if you care about public health, science, commerce, safety and security (among other public goods).

The essence of the idea is that if someone wants to use a piece of personal information, then they will need to get your permission (and if you wish, pay for this privilege). And if you disclosed personal information to another party, then that party can use it only for the purposes you agreed to and will not be allowed to share it with others, without the original owner’s explicit consent.

Among those who advocate this idea is Andy Kessler, a former hedge fund manager and columnist for the Wall Street Journal, who championed it in the article “A Better Way to Make Facebook Pay.” He notes that the United States is a country founded on property rights. Hence “Congress can deliberate for 90 seconds and then pass the Make the Internet Great Again Act. The bill would contain five words: ‘Users own their private data.’” Under this solution, users’ Facebook data—photos, “Likes,” ads that have been clicked on, and much else—would be kept in a “virtual locker.” It would be up to individual Facebook users to decide how these data may be used. Furthermore, users would be able to decide how much data they want to share, and Facebook would pay accordingly on a sliding scale.

For homeland security and public safety the suggested approach raises major difficulties. It is widely understood that under most circumstances the government cannot legally search anyone (i.e. violate their privacy) unless it has shown to a court that it has probable cause to suspect that the person is a criminal or terrorist. Much less attention is paid to the question of how the government can gain such information, if it is not allowed to search before it gets a warrant. The answer lies in large part in drawing on personal information which people disclosed to others, for instance when they opened a bank account, purchased a house, got credit and so on. Under the third-party doctrine, if a person discloses information to another party, then he or she no longer has a “reasonable expectation of privacy” and the government may obtain the information without a warrant. If the government must ask suspects for their consent prior to accessing personal data, then not only is consent unlikely to be obtained, but the suspects will also be tipped off that the government is investigating them. Thus, ending the third-party doctrine would severely set back homeland protection and law enforcement.

Research would be bedeviled as well. A medical researcher tried some years back to get personal consent from several thousand people to interrogate their medical records. He found that some could not be found, others were six feet under, and quite a few refused. He spent most of the funds set aside for his project on trying to gain consent—and ended up with a very unrepresentative sample of the population, given the older ones and the less educated patients refused more often than others. One may say that he could use the data after removing personal identifiers, a process referred to as anonymization. However, under the new doctrine, he still would need their consent for their data to be included in the study in the first place.

Commerce would also suffer. Advertising is considered an essential part of modern commerce. By using personal information to make advertising more relevant to those exposed to it, Facebook and Google have made commerce more efficient. If many people refuse to let companies “read” their personal preferences, we shall go back to exposing them to ads less relevant to their interests. Finally someone figured that personal information about a given person is used at least seven hundred times a day. If such usage would require permission from the “owner,” then people would have to spend a good part of their day refusing or agreeing to share their information (as well as exploring various offers for trading privacy for coupons). The fact that all these concerns are far from theoretical ones can be seen in a closer look at the European Union’s Data Protection Directive (DPD). It is often hailed as an example of a sound way to protect privacy by maintaining ownership. Indeed it states that any secondary use of personal information released by a person or collected about him requires the explicit a priori approval of the original individual “owner” of the information, and that this consent cannot be delegated to an agent or machine. The details of the DPD are complex and changing. However, it deals with all the issues I raised above by making exceptions to the ownership rule in many areas, including when the data is needed for the purposes of research, public health, or law enforcement, among others.

Finally, the law is not enforced. No wonder a large majority of the EU public—70 percent—fears that their personal data is misused. The fact that treating all personal information as private property is far from a clear and simple solution can be further gleaned from the following exchange between Sen. Jon Tester and Mark Zuckerberg during the recent hearings.

TESTER: “You said—and I think multiple times during this hearing—that I own the data on Facebook if it’s my data.”

ZUCKERBERG: “Yes. So, senator, when I say it’s your data, what we mean is that you have control over how it’s used on Facebook.”

Well not so fast. Any personal information one puts into Facebook—is not treated as personally owned—unless one takes special steps to so protect it. And the steps that one must take, the settings, are complex and bewildering. Above all, privacy at Facebook and other tech firms is an opt-in rather than an opt-out system, the latter being required if one owns one’s data.

Some kind of regulation is clearly called for rather than leaving the matter to each individual to negotiate with Facebook et al. My suggestion is that information considered sensitive—medical, financial—should be protected by the law, as it currently often is, without assuming private ownership. Hence, secondary usage would require prior consent. However, much less sensitive information—which foods I prefer, or hotels, or cars—would be treated as it currently is, under the third-party doctrine. People who disagree and seek to protect all personal information—but still use Facebook and Google and other such services, should be able to optout of the data collection by the corporations but pay for their services.

The EU General Data Protection Regulation, which enters into force May 25, 2018, replaces the DPD and offers some significant changes to the law. For example, the GDPR expands the definition of personal data, grants the right to access one’s personal data, as well as the right to data portability. However, it continues to treat great amounts of personal information the same way as the DPD did: as if it is not personally owned and no consent is required for various usages. Thus for example, the Electronic Privacy Information Center reports “data that falls under a law enforcement data regulation or is processed for national security purposes is not covered” under the GDPR. Furthermore, “the GDPR explicitly permits re-purposing collected data for research” and “it also may permit a controller to collect personal data initially for research purposes, without requiring the data subject’s consent,” writes Gabe Maldoff. He adds that, “at least in some cases, researchers may further process personal data for research purposes in spite of a data subject’s request for erasure.”

In short, there are major segments of the data world in which individuals will need to be protected by regulations that will determine what is fair versus improper or abusive use, rather than relying on individuals to protect themselves.